| Oracle® Database Security Guide 10g Release 1 (10.1) Part Number B10773-01 |
|
|
View PDF |
| Oracle® Database Security Guide 10g Release 1 (10.1) Part Number B10773-01 |
|
|
View PDF |
The authentication processes described in Chapter 4 validate the identities of the entities using your networks, databases, and applications
The authorization processes described in Chapter 5 provide limits to their access and actions, limits that are linked to their identities and roles.
This chapter describes restrictions associated not with users but with objects, providing protection regardless of the entity who seeks, by whatever means, to access or alter them.
You provide object protections using object-level privileges and views, as well as by designing and using policies to restrict access to specific tables, views, synonyms, or rows. This level of control, which enables you to use application context with fine-grained access control, is called Virtual Private Database, or VPD. Such policies invoke functions that you design to specify dynamic predicates establishing the restrictions. You can also group established policies, applying a policy group to a particular application.
Having established such protections, you need to be notified when they are threatened or breached. Auditing capabilities enable you to receive notification of activities you want watched, and to investigate in advance of or in response to being notified. Given notification, you can strengthen your defenses and deal with the consequences of inappropriate actions and the entities who caused them. Oracle's auditing facilities are introduced in Chapter 8, "Database Auditing: Security Considerations" and described in detail in Chapter 11, "Configuring and Administering Auditing".
This chapter describes Oracle's access control capabilities in the following sections:
See Also:
|
A view is a presentation of data selected from one or more tables (possibly including other views). In addition to showing the selected data, a view also shows the structure of the underlying tables, and can be thought of as the result of a stored query.
The view contains no actual data but rather derives what it shows from the tables and views on which it is based. A view can be queried, and the data it represents can be changed. Data in a view can be updated or deleted, and new data inserted. These operations directly alter the tables on which the view is based and are subject to the integrity constraints and triggers of the base tables.
For example, a base table of all employee data may have several columns and numerous rows of information. If you want users to see only specific columns, you can create a view of that table, containing only the allowable columns. You can then grant other users access to the new view, while disallowing access to the base table.
Figure 6-1 shows an example of a view called staff derived from the base table employees. Notice that the view shows only five of the columns in the base table.
Text description of the illustration viewexam.gif
As discussed extensively in Chapter 5, a schema object privilege is a privilege or right to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. Privileges related to views are discussed in that chapter, in the View Privileges section. Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. Their use is controlled with system privileges. For example, to alter a cluster, a user must own the cluster or have the ALTER ANY CLUSTER system privilege.
All these privileges, including those for tables, views, procedures, types and more, are introduced in Chapter 5's section entitled Introduction to Privileges. The tools and processes for managing these security facilities are discussed in Chapter 10, "Administering User Privileges, Roles, and Profiles".
In some circumstances, a finer level of access control is needed for tables or rows and the possible actions on them, sometimes associated with particular applications. When such controls are needed, Oracle's fine-grained access control capabilities can be used, as described in the next section.
Fine-grained access control enables you to use functions to implement security policies and to associate those security policies with tables, views, or synonyms.
| See Also:
Using application context with fine-grained access control is called Virtual Private Database, or VPD. See these references: |
The database server automatically enforces your security policies, no matter how the data is accessed, including, for example, through an application by ad hoc queries.
Fine-grained access control enables you to use all of the following capabilities:
SELECT, INSERT, UPDATE, and DELETE.INDEX, in row level security policies.The PL/SQL package DBMS_RLS let you administer your security policies. Using this package, you can add, drop, enable, disable, and refresh the policies (or policy groups) you create.
See Also:
|
The following subsections describe how fine-grained access control works:
A dynamic predicate for a table, view, or synonym is generated by a PL/SQL function, which you write and associate with a security policy through a PL/SQL interface.
Dynamic predicates are acquired at statement parse time, when the base table or view is referenced in a query using SELECT or a DML statement.
The function or package that implements the security policy you create returns a predicate (a WHERE condition). This predicate controls access according to the policy you specified. Rewritten queries are fully optimized and shareable.
Here is an example of such a policy:
DBMS_RLS.ADD_POLICY ( 'hr', 'employees', 'emp_policy', 'hr', 'emp_sec', 'select');
Whenever the EMPLOYEES table, under the HR schema, is referenced in a query or subquery (SELECT), the server calls your EMP_SEC function (under the HR schema). This function returns a predicate (called P1 in the following section) defined in the function, which in this example could be specific to the current user for the EMP_POLICY policy. Your policy function can generate the predicates based on the session environment variables available during the function call, that is, from the application context as described in the next section. The policy can specify any combination of security-relevant columns and any combination of these statement types: SELECT, INSERT, UPDATE, DELETE, or INDEX. You can also specify whether the result of an INSERT or UPDATE should immediately be checked against the policy.
The server then produces a transient view, with the text:
SELECT * FROM hr.employees WHERE P1
Here, P1 (for example, where SAL > 10000, or even a subquery) is the predicate returned from your EMP_SEC function. The server treats the EMPLOYEES table as a view and does the view expansion just like the ordinary view, except that the view text is taken from the transient view instead of the data dictionary.
The policy function creates a WHERE clause relevant to the current user by using information from the set of session environment variables called application context.
Application context helps you apply fine-grained access control because you can link your function-based security policies with applications.
Oracle provides a built-in application context namespace, USERENV, which provides access to predefined attributes. These attributes are session primitives--information that the database automatically captures regarding a user's session. For example, the IP address from which a user connected, the username, and a proxy username (in cases where a user connection is proxied through a middle tier), are all available as predefined attributes through the USERENV application context.
Each application has its own application-specific context, which users cannot arbitrarily change (for example, through SQL*Plus). Context attributes are accessible to the functions implementing your security policies.
For example, context attributes you could use from a human resources application could include "position," "organizational unit," and "country." Attributes available from an order-entry control system might include "customer number" and "sales region".
Application contexts thus permit flexible, parameter-based access control using context attributes relevant to an application and to policies you might want to create for controlling its use.
You can:
To define an application context:
CREATE CONTEXT to specify a unique context name and associate it with the PL/SQL package you created.SELECT * FROM Orders_tab to the following:
SELECT * FROM Orders_tab WHERE Custno = SYS_CONTEXT ('order_entry', 'cust_num');
The next subsection, Dynamic Contexts, describes run-time efficiencies you can establish by identifying how dynamic each of your policies is, using these categories: static, shared, context-sensitive, or dynamic.
When you create a policy, you can establish run-time efficiencies by specifying whether the policy is static, shared, context-sensitive, or dynamic:
| See also:
The section titled How to Add a Policy to a Table, View, or Synonym in Chapter 14, "Implementing Application Context and Fine-Grained Access Control". |
Even after designing and implementing protective measures using privileges, views, and policies, you want to know when these measures are threatened or breached. Auditing can notify you of suspicious or questionable activities. You can then investigate, strengthen your defenses, and deal with inappropriate actions, consequences, and security offenders.
Use auditing to complement your access controls from several perspectives:
Chapter 8, "Database Auditing: Security Considerations" introduces Oracle's auditing facilities, and Chapter 11, "Configuring and Administering Auditing" describes them in detail.
|
 Copyright © 2003 Oracle Corporation All Rights Reserved. |
|